Scribd
Upload
3 views

Lecture04_NetworkProtections (2)

The document discusses network defenses, focusing on the OSI model, firewalls, and intrusion detection systems (IDS). It explains how firewalls separate trusted and untrusted networks, detailing various types of firewalls and their functionalities. Additionally, it covers IDS types, including signature-based and heuristic-based systems, emphasizing their roles in detecting potential security incidents.

Uploaded by

coolmusica44
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

Lecture04_NetworkProtections (2)

The document discusses network defenses, focusing on the OSI model, firewalls, and intrusion detection systems (IDS). It explains how firewalls separate trusted and untrusted networks, detailing various types of firewalls and their functionalities. Additionally, it covers IDS types, including signature-based and heuristic-based systems, emphasizing their roles in detecting potential security incidents.

Uploaded by

coolmusica44
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

Network Defenses

KAMI VANIEA
21 JANUARY

KAMI VANIEA 1
First, the news…
• The Great Cannon of China
• https://citizenlab.org/2015/04/chinas-great-cannon/

KAMI VANIEA 2
Today
• Open System Interconnect (OSI) model
• Firewalls
• Intrusion detection systems (IDS)
• Time allowing:
◦ Network Address Translation (NAT)

KAMI VANIEA 3
Open Systems
Interconnect
model
 A good way to
think about
networking steps
logically
 Not how software
is actually built

Image from: http://www.tech-faq.com/osi-model.html KAMI VANIEA 4


OSI in terms of debugging errors

Can your browser open another website?

Do you have a viewer that supports jpg (image format)?

Can you ping the webserver you are trying to reach?

Can you ping the gateway or DNS server?

Do you have an IP address?

Is the light on the modem on?

Is the network cable plugged in?

KAMI VANIEA 5
Data starts at the top
Sender: of the OSI stack at Recipient:
Apache server level 7. Firefox user

7 Application It progresses down 7 Application


Network process to application Network process to application
the stack with each
Presentation successive level Presentation
6 6
Data representation and encryption adding or changing Data representation and encryption

Session information. Session


5 5
Interhost communication Interhost communication
At level 1 it travels
4 Transport across the physical 4 Transport
End-to-end connection and reliability End-to-end connection and reliability
layer to the recipient
3 Network computer.
3 Network
Path determination and IP (Logical Addressing) Path determination and IP (Logical Addressing)

Data Link The recipient then Data Link


2 processes the data up 2
MAC and LLC (Physical Addressing) MAC and LLC (Physical Addressing)
the stack. At level 7 an
1 Physical application processes 1 Physical
Media, signal, and binary transmission Media, signal, and binary transmission
the data.

KAMI VANIEA 6
 Levels 7 and 6
Information is added to the message
involve the as it travels down the OSI levels
internal
representation of
the message M 7 Application
Network process to application
 Levels 5 and 4 Presentation
M 6
involve setting up Data representation and encryption

the connection M 5 Session


Interhost communication

 Levels 3, 2, and 1 M 4 Transport


End-to-end connection and reliability
add header (H) Network
H3 M T3 3
and tail (T) Path determination and IP (Logical Addressing)

information to H2 H3 M T3 T2 2 Data Link


MAC and LLC (Physical Addressing)
each packet Physical
H1 H2 H3 M T3 T2 T1 1
Media, signal, and binary transmission

KAMI VANIEA 7
Header data on a packet
1. Physical
2. Data link
3. Network
4. Transport

7. Application

KAMI VANIEA 8
Frame header data on a packet
1. Physical
2. Data link
3. Network
4. Transport Information needed
… to physically
7. Application transport the packet

KAMI VANIEA 9
IP header data on a packet
1. Physical
2. Data link Version 4
3. Network Internet Protocol (IP)
4. Transport information

Type of the
7. Application
next header

Source and destination


IP addresses

KAMI VANIEA 10
Firewalls

KAMI VANIEA 11
Firewalls
• Firewalls divide the untrusted outside of a network from the
more trusted interior of a network
• Often they run on dedicated devices
◦ Less possibilities for compromise – no compilers, linkers,
loaders, debuggers, programming libraries, or other tools an
attacker might use to escalate their attack
◦ Easier to maintain few accounts
◦ Physically divide the inside from outside of a network

KAMI VANIEA 12
Sample
User User
Network
Card
Desktop
Readers
PCs and
laptops
User Mobile
Devices Wireless
Access Point

Email, web and


application servers Databases
Boundary
Personal Firewall
Devices

User
Router

Home PC 3rd party


Home server
Router Internet
Desktop
 Questionable Email, web and
application servers
PCs and
things come from laptops
Boundary
the internet AND Firewall
from the local
Internet
network
 Firewall applies a
set of rules Trash
 Based on rules, it
Rule Type Source Address Destination Destination Action
allows or denies Address Port
the traffic 1 TCP * 192.168.1.* 22 Permit
 Firewalls can also 2 UDP * 192.1681.* 69 Permit
act a routers 3 TCP 192.168.1.* * 80 Permit
deciding where to 4 TCP * 192.168.1.18 80 Permit
send traffic 5 UDP * 192.168.1.* * Deny

KAMI VANIEA 14
Sender: Recipient:
Apache server Firefox user

7 Application 7 Application
Network process to application Network process to application

6 Presentation 6 Presentation
Data representation and encryption Data representation and encryption

5 Session 5 Session
Interhost communication Interhost communication

4 Transport 4 Transport
End-to-end connection and reliability End-to-end connection and reliability

3 Network 3 Network
Path determination and IP (Logical Addressing) Path determination and IP (Logical Addressing)

2 Data Link 2 Data Link


MAC and LLC (Physical Addressing) MAC and LLC (Physical Addressing)

1 Physical 1 Physical
Media, signal, and binary transmission Media, signal, and binary transmission

KAMI VANIEA 15
A firewall takes in network traffic and
Sender: compares it to a set of rules. In order
Recipient:
Apache server to do so it must first process several
Firefox user
OSI levels to reach the data it needs.
Application Application
7 Network process to 7 Network process to
application For example, to filter out all traffic application
Presentation from IP 216.34.181.45 the packet Presentation
6 Data representation and needs to be processed through level 3 6 Data representation and
encryption encryption
where IP addresses can be read.
Session Session
5 5
Interhost communication Interhost communication
Transport Transport
4 End-to-end connection and 4 End-to-end connection and
reliability Firewall reliability
Network Network Network
3 Path determination and IP 3 Path determination and IP 3 Path determination and IP
(Logical Addressing) (Logical Addressing) (Logical Addressing)
Data Link Data Link Data Link
2 MAC and LLC (Physical 2 MAC and LLC (Physical 2 MAC and LLC (Physical
Addressing) Addressing) Addressing)
Physical Physical Physical
1 Media, signal, and binary 1 Media, signal, and binary 1 Media, signal, and binary
transmission transmission transmission
Firewall ruleset
from a custom
home router
 Taken from an
ARSTechnica article

Image: http://arstechnica.co.uk/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/
17
There are many types of Firewalls
Key differences include: Today we will talk about:
• How implemented • Packet filtering gateway
◦ Software – slower, easier to deploy on • Stateful inspection firewall
personal computers • Application proxy
◦ Hardware – faster, somewhat safer, • Personal firewalls
harder to add in
• Number of OSI levels of processing
required
◦ Packet size (level 1)
◦ MAC (level 2) and IP (level 3) filtering
◦ Port filtering (level 3)
◦ Deep packet (level 4+)

KAMI VANIEA 18
Packet filtering gateway or screening
router
• Simplest – compares information found in the headers to the
policy rules
• Operate at OSI level 3
• Source addresses and ports can be forged, which a packet filter
cannot detect
• Design is simple, but tons of rules are needed, so it is
challenging to maintain

KAMI VANIEA 19
Stateful inspection firewall
• Maintains state from one packet to another
• Similar to a packet filtering gateway, but can remember recent
events
• For example, if a outside host starts sending packets to many
internal destination ports (aka a port scan) a stateful firewall
would record the number of ports probed and once it is over
the threshold specified in the policy it would block all further
traffic

KAMI VANIEA 20
Port scan
 An attacker is
looking for
applications
listening on ports
 A single IP address
(right) is contacting
many ports (left)
to see if any
respond

Image: http://chrislee.dhs.org/projects/visualfirewall.html 21
Application proxy
• Simulates the (proper) effects of an application at OSI level 7
• Effectively a protective Man In The Middle that screens
information at an application layer (OSI 7)
• Allows an administrator to block certain application requests.
• For example:
◦ Block all web traffic containing certain words
◦ Remove all macros from Microsoft Word files in email
◦ Prevent anything that looks like a credit card number from
leaving a database

KAMI VANIEA 22
Personal firewalls
• Runs on the workstation that it protects (software)
• Provides basic protection, especially for home or mobile
devices
• Malicious software can disable part or all of the firewall
• Any rootkit type software can disable the firewall

KAMI VANIEA 23
Intrusion Detection
Systems (IDS)

KAMI VANIEA 24
KAMI VANIEA 25
Firewalls are preventative,
IDS detects a potential incident in progress
• At some point you have to let some traffic into and out of your
network (otherwise users get upset)
• Most security incidents are caused by a user letting something
into the network that is malicious, or by being an insider threat
themselves
• These cannot be prevented or anticipated in advance
• The next step is to identify that something bad is happening
quickly so you can address it

KAMI VANIEA 26
Signature based
• Perform simple pattern matching and report situations that
match the pattern
• Requires that admin anticipate attack patterns in advance
• Attacker may test attack on common signatures
• Impossible to detect a new type of attack
• High accuracy, low false positives

KAMI VANIEA 27
Heuristic based
• Dynamically build a model of acceptable or “normal” behavior
and flag anything that does not match
• Admin does not need to anticipate potential attacks
• System needs time to warm up to new behavior
• Can detect new types of attacks
• Higher false positives, lower accuracy

KAMI VANIEA 28
Number of alarms is a big problem
• In the Target breach the IDS did correctly identify that there
was an attack on the Target network
• There were too many alarms going off to investigate all of
them in great depth
• Some cyberattack insurance policies state that if you know
about an attack and do nothing they will not cover the attack.
• Having a noisy IDS can potentially be a liability

KAMI VANIEA 29
Network Address
Translation (NAT)

KAMI VANIEA 30
Questions

KAMI VANIEA 31

You might also like